-->
We assisted a Silicon Valley-based security products company in extending their stackable Linux filesystem driver to support advanced encryption methods for remote filesystems. This project enabled better file protection and compliance with FIPS standards without requiring invasive changes to the clients' production setups.
Our client is a Silicon Valley company specializing in security products. They offer solutions to protect both unstructured data, such as files in a filesystem, and structured data, like databases. Their products are compatible with major Unix and Windows variants and operate within the kernel or user space based on the security assurances required by their clientele.
The client had a stackable Linux filesystem driver that encrypted files using the AES-CBC algorithm. They extended the product to include AES CBC-CS1 support, enabling per-file IV for enhanced protection. However, this algorithm required additional storage for IV and other encryption metadata. Most local filesystems could access this storage via extended attributes (xattrs), but CIFS and CVFS filesystems could not.
To avoid forcing customers to make invasive changes to their production setups, such as kernel modifications or server-side configuration changes, the client decided to store the IV and metadata in the first 4096 bytes of the file.
Modify the filesystem driver to intercept xattr-related calls for CIFS and CVFS filesystems.
Write the IV and other encryption-related metadata to the first 4K bytes of the file.
Ensure the solution is generic enough to extend to other filesystems in the future.
Modify an existing user-space utility to migrate files encrypted with AES-CBC to AES CBC-CS1.
Enable AES CBC-CS1 support for CIFS and CVFS filesystems.
Modified the migration utility to relocate data blocks to create space for storing xattrs in existing files.
Assisted customers in migrating files encrypted with AES-CBC to AES CBC-CS1 encryption.
Enabled AES CBC-CS1 support for CIFS and CVFS filesystems.
Developed a separate module for handling xattrs:
Used local xattrs for files from local filesystems.
Used the first 4096 bytes for files from remote filesystems like CIFS or CVFS.
Enhanced the existing xattrs code to save xattrs in the appropriate location based on the filesystem type.
Successfully enabled per-file IV functionality on remote filesystems without requiring invasive changes to the clients' production setups.
Modified the user-space utility to facilitate the migration of files to the new encryption standard.
Transitioned customers to a superior and FIPS-compliant encryption algorithm, safeguarding their data with enhanced security measures.
Our filesystem team made significant modifications to the client's filesystem driver, enabling per-file IV functionality for remote filesystems. This allowed the client's customers to transition to a more secure and FIPS-compliant encryption algorithm without disrupting their existing production environments. The stackable nature of the filesystem driver ensured that these changes were transparent to the applications, providing a seamless upgrade path for enhanced data security.